← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #20554

[Bug 1366020] [NEW] LDAP Identity does not convert ID to DN for lookup

  Thread PreviousDate PreviousThread Next 
Public bug reported:

there is a disconnect  between how Identity  gets users for
Authentication and how it creates users.

When creating a user, deleting a user, etc,  the identity code calls:


            conn.add_s(self._id_to_dn(values['id']), attrs)

Which attempts to convert an id to a dn  two different ways.  One is by
composing the DN:


    def _id_to_dn_string(self, object_id):
        return u'%s=%s,%s' % (self.id_attr,
                              ldap.dn.escape_dn_chars(
                                  six.text_type(object_id)),
                              self.tree_dn)


The other is by searching for a record of that objectclass

The difference is whether subtree searches are enabled.


The authenticate code path is different:


    def authenticate(self, user_id, password):
        try:
            user_ref = self._get_user(user_id)
...
    def _get_user(self, user_id):
        return self.user.get(user_id)


    def get(self, object_id, ldap_filter=None):
        res = self._ldap_get(object_id, ldap_filter)


    def _ldap_get(self, object_id, ldap_filter=None):
        conn = self.get_connection()
        query = (u'(&(%(id_attr)s=%(id)s)'  ....


Note that this second way of finding the object matches the subtree search method.


I think this has worked thus far mostly due to convention:  If a DN is of the form:

uid=ayoung,cn....

and the object has the attribute

uid=ayoung


Both searches will match the object.  However,  if the DN is like this:

CN=ayoung,CN=...

but the user has
CN=Adam


The second will not match.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1366020

Title:
  LDAP Identity does not convert ID to DN for lookup

Status in OpenStack Identity (Keystone):
  New

Bug description:
  there is a disconnect  between how Identity  gets users for
  Authentication and how it creates users.

  When creating a user, deleting a user, etc,  the identity code calls:


              conn.add_s(self._id_to_dn(values['id']), attrs)

  Which attempts to convert an id to a dn  two different ways.  One is
  by composing the DN:


      def _id_to_dn_string(self, object_id):
          return u'%s=%s,%s' % (self.id_attr,
                                ldap.dn.escape_dn_chars(
                                    six.text_type(object_id)),
                                self.tree_dn)

  
  The other is by searching for a record of that objectclass

  The difference is whether subtree searches are enabled.

  
  The authenticate code path is different:

  
      def authenticate(self, user_id, password):
          try:
              user_ref = self._get_user(user_id)
  ...
      def _get_user(self, user_id):
          return self.user.get(user_id)


      def get(self, object_id, ldap_filter=None):
          res = self._ldap_get(object_id, ldap_filter)

  
      def _ldap_get(self, object_id, ldap_filter=None):
          conn = self.get_connection()
          query = (u'(&(%(id_attr)s=%(id)s)'  ....

  
  Note that this second way of finding the object matches the subtree search method.

  
  I think this has worked thus far mostly due to convention:  If a DN is of the form:

  uid=ayoung,cn....

  and the object has the attribute

  uid=ayoung

  
  Both searches will match the object.  However,  if the DN is like this:

  CN=ayoung,CN=...

  but the user has
  CN=Adam

  
  The second will not match.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1366020/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next